resource "keycloak_openid_client" "oidc" {
  realm_id            = var.realm
  client_id           = var.client_id
  name                = var.name != null ? var.name : var.client_id
  enabled             = true
  use_refresh_tokens  = var.use_refresh_tokens
  service_accounts_enabled = var.service_accounts_enabled

  access_type         = "CONFIDENTIAL"
  standard_flow_enabled = true
  root_url            = var.root_url != null ? var.root_url : "https://${var.client_id}.janky.solutions"
  valid_redirect_uris = length(var.valid_redirect_uris) == 0 ? ["/*"] : var.valid_redirect_uris
}

# resource "keycloak_openid_client_service_account_realm_role" ""

resource "vault_kv_secret_v2" "oidc" {
  mount = var.vault_mount
  name  = "${var.namespace != null ? var.namespace : var.client_id}/default/oidc-client-credentials-${var.client_id}"
  data_json = jsonencode({
    client_id     = keycloak_openid_client.oidc.client_id,
    client_secret = keycloak_openid_client.oidc.client_secret
  })
}